pgAdmin 4 v9.15 Released - pgAdmin Development Team via PostgreSQL Announce

public inbox for pgsql-announce@postgresql.org  
help / color / mirror / Atom feed

From: pgAdmin Development Team via PostgreSQL Announce <announce-noreply@postgresql.org>
To: PostgreSQL Announce <pgsql-announce@lists.postgresql.org>
Subject: pgAdmin 4 v9.15 Released
Date: Mon, 11 May 2026 16:45:42 +0000
Message-ID: <177851794230.851.10919277514111552494@wrigleys.postgresql.org> (raw)

The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.15.

This release of pgAdmin 4 includes 19 bug fixes and new features. For more details please see the release notes at:

<https://www.pgadmin.org/docs/pgadmin4/9.15/release_notes_9_15.html;

pgAdmin is the leading Open Source graphical management tool for PostgreSQL. For more information, please see:

<https://www.pgadmin.org/;

**Notable changes in this release include:**

## Features

- Allow the Docker container image to run as a non-default user via the `PUID` and `PGID` environment variables.

## Bugs/Housekeeping

- Fix cross-user data access and shared-server privilege escalation in server mode (**CVE-2026-7813**).
- Tighten Shared Server feature parity, owner-only field handling, and write guards as a follow-up to the data-isolation hardening.
- Fix stored cross-site scripting (XSS) via crafted PostgreSQL object names rendered in the Browser Tree and Explain Visualizer (**CVE-2026-7814**).
- Fix SQL injection in the Maintenance tool option values (**CVE-2026-7815**).
- Fix OS command injection in Import/Export query export (**CVE-2026-7816**).
- Fix local-file inclusion and server-side request forgery in the LLM API configuration endpoints (**CVE-2026-7817**).
- Fix unsafe deserialization in the session manager that could lead to remote code execution (**CVE-2026-7818**). This change also encrypts session files at rest using Fernet, restricts session-file and `DATA_DIR` permissions to `0o600`, switches the session-digest default from SHA-1 to SHA-256, and drops several non-roundtrippable live objects from the session.
- Fix symlink-based path traversal in the file manager (**CVE-2026-7819**).
- Fix account-lockout bypass on Flask-Security's default `/login` view so the `locked` field is honored on every authentication path (**CVE-2026-7820**).
- Use absolute paths for `a2enmod` and `a2enconf` in the Debian setup script so it works when `/usr/sbin` is not on `PATH`.
- Bump Python and JavaScript runtime/development dependencies, and upgrade ESLint to v10.
- Update the Czech, Italian, Russian, Spanish, and Swedish translations.

## Deprecations

- The **BigAnimal** cloud deployment integration is deprecated and will be removed in the next version of pgAdmin 4.


---

Builds for Windows and macOS are available now, along with a Python Wheel, Docker Container, RPM, DEB Package, and source code tarball from:

<https://www.pgadmin.org/download/;

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: pgsql-announce@postgresql.org
  Cc: announce-noreply@postgresql.org, pgsql-announce@lists.postgresql.org
  Subject: Re: pgAdmin 4 v9.15 Released
  In-Reply-To: <177851794230.851.10919277514111552494@wrigleys.postgresql.org>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox